Best Practices for Software Supply Chain Risk Assessments

Software supply chain risk, especially the risk of foreign influence, has received high visibility in the Energy industry. Software objects should never be installed, without performing a comprehensive risk assessment to determine the trustworthiness of a software object to perform its function without increasing or introducing cyber risks. This session describes best practices using a seven step software supply chain risk assessment based on the NIST Cybersecurity Framework V1.1 to protect the bulk electric system from cyber risks inherent in software used for command and control. Dick Brooks, the Co-Founder of Reliable Energy Analytics (REA), is a technical leader with extensive experience designing and building Business Intelligence, Data and Risk Analytic Platforms, Cybersecurity solutions and Enterprise Architectures for the Energy industry. He continues to lead the development of energy industry standards at NAESB and in committee meetings where market rules and industry standards are being developed. He currently serves as the Vice Chairman for NAESB’s Wholesale Electric Quadrant (WEQ) Executive Committee, Chairman of the WEQ Business Practices Subcommittee and has been an active participant within the WEQ Cybersecurity Subcommittee since its inception. In 2020 he re-joined OASIS-Open to work on industry standards for the automated reporting of cyber incidents as part of the OASIS Cyber Threat Intelligence (CTI) TC STIX/TAXII standards to programmatically submit "attempt to compromise" alerts to CISA ICS-CERT, in accordance with NERC CIP-008-6 . He also actively participates in the Department of Commerce NTIA Software Transparency (SBOM) initiative He is the lead software engineer responsible for REA's software product, the Software Assurance Guardian Point Man (TM) (SAG-PM)(TM) software, a software supply chain risk assessment and management platform employing patent pending methods for the verification of software integrity and authenticity applying NIST Cybersecurity Framework guidelines to augment NERC CIP-010-3 R1, Part 1.6 as suggested by FERC in their 6/18/2020 White Paper, see docket AD20-19-000. A trust score, called a SAGScore (similar to a FICO score), provides Bulk Electric System (BES) entities with a trustworthiness score for software objects before any attempt to install a software object in a BES cyber system, affording a Company the opportunity to make a risk based decision to install, or not install, a software object in the BES